4:11 a.m.
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got this error
when I tried to compile the module
[root@localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile
local.pp
Compiling targeted local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:10:ERROR 'unknown class capability used in rule' at token ';' on
line 80642:
#line 10
allow local_login_t self:capability audit_write;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
Thanks & Rgds,
Louis
----- Original Message ----
From: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>
To: Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com
Sent: Tuesday, August 7, 2007 5:27:16 PM
Subject: Re: Strict policy on FC6 and F7
2007-08-07 (火) の 09:48 -0700 に Hal さんは書きました:
Hallo
After a problem with the strict policy in FC6: firefox does not start under
strict policy. No messages at all. I decided to check if firefox under strict
policy on F7 works.
I have installed F7 and enabled strict policy. But from now on I can no longer
login in enforcing is on . When I enter username and password and I get
permission denied even for root in GDM. In console I just get new "username"
prompt.
I do not understand why firefox does not start in fc6 and
can not longin on F7 under strict policy?
What might be wrong?
Because, now you're in enforcing mode,
please disable SELinux and login.
Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require {
type local_login_t;
class netlink_audit_socket { append bind connect shutdown ioctl
getattr
setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
read };
}
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp
#semodule -i local.pp
#semodule -l|grep local
Set SELinux enforcing.
Did it work?
Hal
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
4:57 a.m.
New subject: Strict policy on FC6 and F7
Hi
So far it did not work. This is what I get:
[root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp
Compiling strict local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:9:ERROR 'syntax error' at token 'logging_send_audit_msg' on line
81076:
logging_send_audit_msg(local_login_t)
}
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
Hal
--- Louis Lam <lshoujun(a)yahoo.com> wrote:
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got
this error when I tried to compile the module
[root@localhost local_module_for_login]# make -f
/usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:10:ERROR 'unknown class capability used in rule' at token ';'
on
line 80642:
#line 10
allow local_login_t self:capability audit_write;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
Thanks & Rgds,
Louis
----- Original Message ----
From: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>
To: Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com
Sent: Tuesday, August 7, 2007 5:27:16 PM
Subject: Re: Strict policy on FC6 and F7
2007-08-07 (²Ð) ¤Î 09:48 -0700 ¤Ë Hal ¤µ¤ó¤Ï½ñ¤¤Þ¤·¤¿:
> Hallo
>
> After a problem with the strict policy in FC6: firefox does not start under
> strict policy. No messages at all. I decided to check if firefox under
strict
> policy on F7 works.
> I have installed F7 and enabled strict policy. But from now on I can no
longer
> login in enforcing is on . When I enter username and password and I get
> permission denied even for root in GDM. In console I just get new
"username"
> prompt.
>
> I do not understand why firefox does not start in fc6 and
> can not longin on F7 under strict policy?
>
> What might be wrong?
> Because, now you're in enforcing mode,
please disable SELinux and login.
Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require {
type local_login_t;
class netlink_audit_socket { append bind connect shutdown ioctl
getattr
setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
read };
}
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp
#semodule -i local.pp
#semodule -l|grep local
Set SELinux enforcing.
Did it work?
> Hal
>
>
>
>
>
>
____________________________________________________________________________________
> Luggage? GPS? Comic books?
> Check out fitting gifts for grads at Yahoo! Search
> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to
get online.
http://smallbusiness.yahoo.com/webhosting
6:36 a.m.
New subject: Strict policy on FC6 and F7
2007-08-08 (水) の 02:57 -0700 に Hal さんは書きました:
Hi
So far it did not work. This is what I get:
[root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.ppfe
Compiling strict local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:9:ERROR 'syntax error' at token 'logging_send_audit_msg' on
line
81076:
logging_send_audit_msg(local_login_t)
}
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
All right.
I've checked Tresys page and foud interface name is...
http://oss.tresys.com/docs/refpolicy/api/interfaces.html
logging_send_audit_msgs
Try this.
Solved?
I have an another problem on strict policy, so keep in touch.
Cheers!
Hal
--- Louis Lam <lshoujun(a)yahoo.com> wrote:
> Hi,
>
> I'm trying to enable strict policy on fc7, need to do this too. But i got
> this error when I tried to compile the module
>
> [root@localhost local_module_for_login]# make -f
> /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> local.te:10:ERROR 'unknown class capability used in rule' at token
';' on
> line 80642:
> #line 10
> allow local_login_t self:capability audit_write;
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/local.mod] Error 1
>
> Thanks & Rgds,
> Louis
>
> ----- Original Message ----
> From: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>
> To: Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com
> Sent: Tuesday, August 7, 2007 5:27:16 PM
> Subject: Re: Strict policy on FC6 and F7
>
> 2007-08-07 (²Ð) ¤Î 09:48 -0700 ¤Ë Hal ¤µ¤ó¤Ï½ñ¤¤Þ¤·¤¿:
> > Hallo
> >
> > After a problem with the strict policy in FC6: firefox does not start under
> > strict policy. No messages at all. I decided to check if firefox under
> strict
> > policy on F7 works.
> > I have installed F7 and enabled strict policy. But from now on I can no
> longer
> > login in enforcing is on . When I enter username and password and I get
> > permission denied even for root in GDM. In console I just get new
> "username"
> > prompt.
> >
> > I do not understand why firefox does not start in fc6 and
> > can not longin on F7 under strict policy?
> >
> > What might be wrong?
> > Because, now you're in enforcing mode,
> please disable SELinux and login.
> Install devel policy.
>
> #yum install selinux-policy-devel
>
> Please install this module.
>
> #vim local.te
>
> module local 1.0;
>
> require {
> type local_login_t;
> class netlink_audit_socket { append bind connect shutdown ioctl
> getattr
> setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
> read };
> }
>
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
>
> #make -f /usr/share/selinux/devel/Makefile local.pp
> #semodule -i local.pp
> #semodule -l|grep local
>
> Set SELinux enforcing.
>
> Did it work?
>
>
> > Hal
> >
> >
> >
> >
> >
> >
>
____________________________________________________________________________________
> > Luggage? GPS? Comic books?
> > Check out fitting gifts for grads at Yahoo! Search
> > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to
get online.
http://smallbusiness.yahoo.com/webhosting
6:25 a.m.
New subject: Strict policy on FC6 and F7
Ooops
This seems to be the same problem as Hal has.
My suggestion is, do not use allow sentence, but
use interface.
Please read Hal and I might solve this problem.
comment out those line same as interface says.
I mean,
#aloow locao_login_t ...
You can do it !
Because I already solved it.
2007-08-08 (水) の 02:11 -0700 に Louis Lam さんは書きました:
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i
got this error when I tried to compile the module
[root@localhost local_module_for_login]# make
-f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:10:ERROR 'unknown class capability used in rule' at token ';'
on line 80642:
#line 10
allow local_login_t self:capability audit_write;
/usr/bin/checkmodule: error(s) encountered while parsing
configuration
make: *** [tmp/local.mod] Error 1
Thanks & Rgds,
Louis
----- Original Message ----
From: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>
To: Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com
Sent: Tuesday, August 7, 2007 5:27:16 PM
Subject: Re: Strict policy on FC6 and F7
2007-08-07 (火) の 09:48 -0700 に Hal さんは書きました:
> Hallo
>
> After a problem with the strict policy in FC6: firefox does not
start under
> strict policy. No messages at all. I decided to check if firefox
under strict
> policy on F7 works.
> I have installed F7 and enabled strict policy. But from now on I can
no longer
> login in enforcing is on . When I enter username and password and I
get
> permission denied even for root in GDM. In console I just get new
"username"
> prompt.
>
> I do not understand why firefox does not start in fc6 and
> can not longin on F7 under strict policy?
>
> What might be wrong?
> Because, now you're in enforcing mode,
please disable SELinux and login.
Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require {
type local_login_t;
class netlink_audit_socket { append bind connect shutdown
ioctl
getattr
setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
read };
}
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp
#semodule -i local.pp
#semodule -l|grep local
Set SELinux enforcing.
Did it work?
> Hal
>
>
>
>
>
>
____________________________________________________________________________________
> Luggage? GPS? Comic books?
> Check out fitting gifts for grads at Yahoo! Search
> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation
+gifts&cs=bz
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends
http://uk.messenger.yahoo.com
2:39 p.m.
New subject: Strict policy on FC6 and F7
I have tryed with
logging_send_audit_msgs(local_login_t)
But still:
[root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp
Compiling strict local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:9:ERROR 'unknown class capability used in rule' at token ';' on
line
81105:
#line 9
allow local_login_t self:capability audit_write;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
I really have no idea what all this means.
there is nowhere "allow" in local.te. if it is in this macros at the end...
Do I need to install the policy source and edit it?
However, I am more interested in solving the Firefox problem on fc6.
On the other hand I do not understand how can login be disabled in the strict
policy in F7. Is this a bug or a feature. I am really confused.
--- shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp> wrote:
Ooops
This seems to be the same problem as Hal has.
My suggestion is, do not use allow sentence, but
use interface.
Please read Hal and I might solve this problem.
comment out those line same as interface says.
I mean,
#aloow locao_login_t ...
You can do it !
Because I already solved it.
2007-08-08 (æ°´) ã® 02:11 -0700 ã« Louis Lam ããã¯æ¸ãã¾ãã:
> Hi,
>
> I'm trying to enable strict policy on fc7, need to do this too. But i
> got this error when I tried to compile the module
>
> [root@localhost local_module_for_login]# make
> -f /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> local.te:10:ERROR 'unknown class capability used in rule' at token
';'
> on line 80642:
> #line 10
> allow local_login_t self:capability audit_write;
> /usr/bin/checkmodule: error(s) encountered while parsing
> configuration
> make: *** [tmp/local.mod] Error 1
>
> Thanks & Rgds,
> Louis
>
> ----- Original Message ----
> From: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>
> To: Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com
> Sent: Tuesday, August 7, 2007 5:27:16 PM
> Subject: Re: Strict policy on FC6 and F7
>
> 2007-08-07 (ç«) ã® 09:48 -0700 ã« Hal ããã¯æ¸ãã¾ãã:
> > Hallo
> >
> > After a problem with the strict policy in FC6: firefox does not
> start under
> > strict policy. No messages at all. I decided to check if firefox
> under strict
> > policy on F7 works.
> > I have installed F7 and enabled strict policy. But from now on I can
> no longer
> > login in enforcing is on . When I enter username and password and I
> get
> > permission denied even for root in GDM. In console I just get new
> "username"
> > prompt.
> >
> > I do not understand why firefox does not start in fc6 and
> > can not longin on F7 under strict policy?
> >
> > What might be wrong?
> > Because, now you're in enforcing mode,
> please disable SELinux and login.
> Install devel policy.
>
> #yum install selinux-policy-devel
>
> Please install this module.
>
> #vim local.te
>
> module local 1.0;
>
> require {
> type local_login_t;
> class netlink_audit_socket { append bind connect shutdown
> ioctl
> getattr
> setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
> read };
> }
>
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
>
> #make -f /usr/share/selinux/devel/Makefile local.pp
> #semodule -i local.pp
> #semodule -l|grep local
>
> Set SELinux enforcing.
>
> Did it work?
>
>
> > Hal
> >
> >
> >
> >
> >
> >
>
____________________________________________________________________________________
> > Luggage? GPS? Comic books?
> > Check out fitting gifts for grads at Yahoo! Search
> > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation
> +gifts&cs=bz
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos
& more.
http://mobile.yahoo.com/go?refer=1GNXIC
2:55 p.m.
New subject: Strict policy on FC6 and F7
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with
logging_send_audit_msgs(local_login_t)
But still:
[root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp
Compiling strict local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:9:ERROR 'unknown class capability used in rule' at token ';' on
line
81105:
#line 9
allow local_login_t self:capability audit_write;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
I really have no idea what all this means.
there is nowhere "allow" in local.te. if it is in this macros at the end...
Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
> > module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
3:32 p.m.
New subject: Strict policy on FC6 and F7
Well
I manged to compile the module, but
it does not work for me.
Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" <cpebenito(a)tresys.com> wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
> I have tryed with
> logging_send_audit_msgs(local_login_t)
>
> But still:
> [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp
> Compiling strict local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> local.te:9:ERROR 'unknown class capability used in rule' at token
';' on
line
> 81105:
> #line 9
> allow local_login_t self:capability audit_write;
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/local.mod] Error 1
>
> I really have no idea what all this means.
> there is nowhere "allow" in local.te. if it is in this macros at the
end...
> Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
> > > module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
4:23 p.m.
New subject: Strict policy on FC6 and F7
2007-08-08 (水) の 13:32 -0700 に Hal さんは書きました:
Well
I manged to compile the module, but
it does not work for me.
Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" <cpebenito(a)tresys.com> wrote:
> On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
> > I have tryed with
> > logging_send_audit_msgs(local_login_t)
> >
> > But still:
> > [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp
> > Compiling strict local module
> > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> > local.te:9:ERROR 'unknown class capability used in rule' at token
';' on
> line
> > 81105:
> > #line 9
> > allow local_login_t self:capability audit_write;
Because we did
not write
class capability { audit_write };
in require brace.
write it and try again.
Did you make it?
As a matter of fact, I have another problem on strict policy.
I ended up breaking F7 altogether eliminating libselinux with --nodeps.
Now I'm trying to upgrade FC6 to F7.
You can upgrade FC6 to F7, if you are tired of your process on F7.
Do not stop trying strict policy.Never surrender.
It's rewarding, and SELinux guys will guide you to the right place.
> > /usr/bin/checkmodule: error(s) encountered while parsing
configuration
> > make: *** [tmp/local.mod] Error 1
> >
> > I really have no idea what all this means.
> > there is nowhere "allow" in local.te. if it is in this macros at the
end...
> > Do I need to install the policy source and edit it?
>
> It is in the interface. You need to change this:
>
> > > > module local 1.0;
>
> to this:
>
> policy_module(local,1.0)
>
> It will automatically require all of the kernel object classes.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
4:43 p.m.
New subject: Strict policy on FC6 and F7
Authentication failed again:(
but meanwhile I have checked firefox on strict policy on FC7 it does not work.
--- shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp> wrote:
2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ããã¯æ¸ãã¾ãã:
> Well
> I manged to compile the module, but
> it does not work for me.
> Compiled,loaded,set enforcing and: "authentication failed" again.
>
> I do not know if I am stupid, but I can not get a long with this Selinux...
>
> Does this nodule work for you guys????
>
> hal
>
> --- "Christopher J. PeBenito" <cpebenito(a)tresys.com> wrote:
>
> > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
> > > I have tryed with
> > > logging_send_audit_msgs(local_login_t)
> > >
> > > But still:
> > > [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
local.pp
> > > Compiling strict local module
> > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> > > local.te:9:ERROR 'unknown class capability used in rule' at token
';'
on
> > line
> > > 81105:
> > > #line 9
> > > allow local_login_t self:capability audit_write;
Because we did not write
class capability { audit_write };
in require brace.
write it and try again.
Did you make it?
As a matter of fact, I have another problem on strict policy.
I ended up breaking F7 altogether eliminating libselinux with --nodeps.
Now I'm trying to upgrade FC6 to F7.
You can upgrade FC6 to F7, if you are tired of your process on F7.
Do not stop trying strict policy.Never surrender.
It's rewarding, and SELinux guys will guide you to the right place.
> > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > make: *** [tmp/local.mod] Error 1
> > >
> > > I really have no idea what all this means.
> > > there is nowhere "allow" in local.te. if it is in this macros at
the
end...
> > > Do I need to install the policy source and edit it?
> >
> > It is in the interface. You need to change this:
> >
> > > > > module local 1.0;
> >
> > to this:
> >
> > policy_module(local,1.0)
> >
> > It will automatically require all of the kernel object classes.
> >
> > --
> > Chris PeBenito
> > Tresys Technology, LLC
> > (410) 290-1411 x150
> >
> >
>
>
>
>
____________________________________________________________________________________
> Luggage? GPS? Comic books?
> Check out fitting gifts for grads at Yahoo! Search
> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
4:55 p.m.
New subject: Strict policy on FC6 and F7
I think F7 strict policy is broken.
Let's wait for a while until SELinux guys fix it.
I decided to play with FC6 this time.
2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
Authentication failed again:(
but meanwhile I have checked firefox on strict policy on FC7 it does not work.
--- shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp> wrote:
> 2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
> > Well
> > I manged to compile the module, but
> > it does not work for me.
> > Compiled,loaded,set enforcing and: "authentication failed" again.
> >
> > I do not know if I am stupid, but I can not get a long with this Selinux...
>
> >
> > Does this nodule work for you guys????
> >
> > hal
> >
> > --- "Christopher J. PeBenito" <cpebenito(a)tresys.com> wrote:
> >
> > > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
> > > > I have tryed with
> > > > logging_send_audit_msgs(local_login_t)
> > > >
> > > > But still:
> > > > [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
> local.pp
> > > > Compiling strict local module
> > > > /usr/bin/checkmodule: loading policy configuration from
tmp/local.tmp
> > > > local.te:9:ERROR 'unknown class capability used in rule' at
token ';'
> on
> > > line
> > > > 81105:
> > > > #line 9
> > > > allow local_login_t self:capability audit_write;
> Because we did not write
>
> class capability { audit_write };
>
> in require brace.
>
> write it and try again.
> Did you make it?
>
>
> As a matter of fact, I have another problem on strict policy.
> I ended up breaking F7 altogether eliminating libselinux with --nodeps.
> Now I'm trying to upgrade FC6 to F7.
> You can upgrade FC6 to F7, if you are tired of your process on F7.
> Do not stop trying strict policy.Never surrender.
> It's rewarding, and SELinux guys will guide you to the right place.
>
>
> > > > /usr/bin/checkmodule: error(s) encountered while parsing
configuration
> > > > make: *** [tmp/local.mod] Error 1
> > > >
> > > > I really have no idea what all this means.
> > > > there is nowhere "allow" in local.te. if it is in this
macros at the
> end...
> > > > Do I need to install the policy source and edit it?
> > >
> > > It is in the interface. You need to change this:
> > >
> > > > > > module local 1.0;
> > >
> > > to this:
> > >
> > > policy_module(local,1.0)
> > >
> > > It will automatically require all of the kernel object classes.
> > >
> > > --
> > > Chris PeBenito
> > > Tresys Technology, LLC
> > > (410) 290-1411 x150
> > >
> > >
> >
> >
> >
> >
>
____________________________________________________________________________________
> > Luggage? GPS? Comic books?
> > Check out fitting gifts for grads at Yahoo! Search
> > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
10:16 a.m.
New subject: Strict policy on FC6 and F7
shintaro_fujiwara wrote:
I think F7 strict policy is broken.
Let's wait for a while until SELinux guys fix it.
I decided to play with FC6 this time.
2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
> Authentication failed again:(
> but meanwhile I have checked firefox on strict policy on FC7 it does not work.
>
> --- shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp> wrote:
>
>
>> 2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
>>
>>> Well
>>> I manged to compile the module, but
>>> it does not work for me.
>>> Compiled,loaded,set enforcing and: "authentication failed" again.
>>>
>>> I do not know if I am stupid, but I can not get a long with this Selinux...
>>>
>>> Does this nodule work for you guys????
>>>
>>> hal
>>>
>>> --- "Christopher J. PeBenito" <cpebenito(a)tresys.com> wrote:
>>>
>>>
>>>> On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
>>>>
>>>>> I have tryed with
>>>>> logging_send_audit_msgs(local_login_t)
>>>>>
>>>>> But still:
>>>>> [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
>>>>>
>> local.pp
>>
>>>>> Compiling strict local module
>>>>> /usr/bin/checkmodule: loading policy configuration from
tmp/local.tmp
>>>>> local.te:9:ERROR 'unknown class capability used in rule' at
token ';'
>>>>>
>> on
>>
>>>> line
>>>>
>>>>> 81105:
>>>>> #line 9
>>>>> allow local_login_t self:capability audit_write;
>>>>>
>> Because we did not write
>>
>> class capability { audit_write };
>>
>> in require brace.
>>
>> write it and try again.
>> Did you make it?
>>
>>
>> As a matter of fact, I have another problem on strict policy.
>> I ended up breaking F7 altogether eliminating libselinux with --nodeps.
>> Now I'm trying to upgrade FC6 to F7.
>> You can upgrade FC6 to F7, if you are tired of your process on F7.
>> Do not stop trying strict policy.Never surrender.
>> It's rewarding, and SELinux guys will guide you to the right place.
>>
>>
>>
>>>>> /usr/bin/checkmodule: error(s) encountered while parsing
configuration
>>>>> make: *** [tmp/local.mod] Error 1
>>>>>
>>>>> I really have no idea what all this means.
>>>>> there is nowhere "allow" in local.te. if it is in this
macros at the
>>>>>
>> end...
>>
>>>>> Do I need to install the policy source and edit it?
>>>>>
>>>> It is in the interface. You need to change this:
>>>>
>>>>
>>>>>>> module local 1.0;
>>>>>>>
>>>> to this:
>>>>
>>>> policy_module(local,1.0)
>>>>
>>>> It will automatically require all of the kernel object classes.
>>>>
>>>> --
>>>> Chris PeBenito
>>>> Tresys Technology, LLC
>>>> (410) 290-1411 x150
>>>>
>>>>
>>>>
>>>
>>>
>>>
> ____________________________________________________________________________________
>
>>> Luggage? GPS? Comic books?
>>> Check out fitting gifts for grads at Yahoo! Search
>>>
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>
>
>
> ____________________________________________________________________________________
> Sick sense of humor? Visit Yahoo! TV's
> Comedy with an Edge to see what's on, when.
> http://tv.yahoo.com/collections/222
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I am not sure what is broken on Firefox on Strict policy as of Fedora
7. I have begun the merge of strict and targeted in rawhide Fedora Core
8/Test1. I have done some rewriting of the Mozilla/Firefox policy.
There were several problems in the existing policy and several problems
in the way the OS is designed. Mainly these dealt with the use of the
/tmp file system by gnome.
I have rewritten the mozilla policy to use one of three booleans.
firefox no network access (r/only)
Firefox with network access (R/O on homedir)
Firefox with network access (r/w on homedir)
firefox currently transitions form the user domain to
userdoman_mozilla_t. So for example
user_t - > user_mozilla_t. But I am allowing firefox to r/w user_tmp_t
as well as user_mozilla_tmp_t.
This allows firefox to interact with X sockets, gdm_files, iceauth
files, orbitz files. Trying to lock this down does not
work.
So if you want to use a locked down firefox, I would recommend looking
at Fedora 8 Test1, and setting up a xguest user.
xguest users can only access the web via firefox and are totally locked
down.
6103
days inactive
6105
days old
selinux@lists.fedoraproject.org
10 comments
5 participants
participants (5)
-
Christopher J. PeBenito -
Daniel J Walsh -
Hal -
Louis Lam -
shintaro_fujiwara